Legal claims defining the scope of protection, as filed with the USPTO.
1. A method executed at a single network device, comprising: receiving, at the single network device, unsecured data sent from a source device towards a destination device; generating, at the single network device, packet handling information comprising at least one of a virtual local area network (VLAN) tag or a Multiprotocol Label Switching (MPLS) label from a portion of the unsecured data received from the source device, and wherein the packet handling information includes routing priority information determined based on the unsecured data; generating, at the single network device, encrypted payload data from the unsecured data using techniques according to the Media Access Control Security (MACSEC) standard of IEEE 802.1 AE; generating, at the single network device, a MACSEC security tag; generating, at the single network device, a packet that transports the encrypted payload data towards the destination device; inserting, at the single network device, the encrypted payload data in an encrypted and authenticated portion of the packet that transports the encrypted payload data towards the destination device; inserting, at the single network device, the packet handling information into an unencrypted and unauthenticated portion of the packet; determining, based on one or more of a source address, a destination address, an encapsulation type, and the at least one of the VLAN tag or the MPLS label, a variable byte offset from a start of the packet for insertion of the MACSEC security tag; at the single network device, using the variable byte offset from the start of the packet to determine a selected location for insertion of the MACSEC security tag in the packet, wherein the selected location is after the at least one of the VLAN tag or the MPLS label; inserting the MACSEC security tag at the selected location of the packet; and sending, at the single network device, the packet on a network.
2. The method of claim 1 , wherein a configurable mask is used to determine the variable byte offset.
3. The method of claim 1 , further comprising: generating Integrity Check Value (ICV) information; and inserting the ICV information in the packet.
4. The method of claim 1 , wherein the packet handling information includes information describing a level of service to be used for the unsecured data.
5. The method of claim 1 , wherein sending comprises sending the packet on a network that employs emulation of a Layer 2 point-to-point connection-oriented service over a packet-switching network.
6. The method of claim 1 , further comprising: determining an offset from an end of the MACSEC security tag at which to begin encryption of the payload data.
7. The method claim 1 , wherein the at least one of the VLAN tag or the MPLS label comprises a VLAN tag having a value added into a Priority Code Point field of the VLAN tag, the value indicating a priority level of the packet.
8. The method of claim 1 , wherein the packet handling information further comprises Quality of Service (QoS) information.
9. The method of claim 1 , wherein the packet handling information comprises a plurality of different pieces of packet handling information in the packet.
10. The method of claim 9 , wherein at least one of the plurality of pieces of packet handling information is located in an authenticated portion of the packet.
11. A single network device, comprising: one or more network interfaces configured to receive unsecured data sent from a source device towards a destination device; at least one memory; and one or more processors configured to: generate packet handling information comprising at least one of a virtual local area network (VLAN) tag or a Multiprotocol Label Switching (MPLS) label from a portion of the unsecured data received from the source device, and wherein the packet handling information includes routing priority information determined based on the unsecured data, generate encrypted payload data from the unsecured data using techniques according to the Media Access Control Security (MACSEC) standard of IEEE 802.1 AE, generate a MACSEC security tag, generate a packet that transports the encrypted payload data towards the destination device, insert the encrypted payload data in an encrypted and authenticated portion of the packet that transports the encrypted payload data towards the destination device, insert the packet handling information into an unencrypted and unauthenticated portion of the packet; determining a variable byte offset from a start of the packet for insertion of the MACSEC security tag based on one or more of a source address, a destination address, an encapsulation type, and the at least one of the VLAN tag or the MPLS label; use the variable byte offset from the start of the packet to determine a selected location for insertion of the MACSEC security tag in the packet, wherein the selected location is after the at least one of the VLAN tag or the MPLS label; insert the MACSEC security tag at the selected location of the packet, and send the packet on a network via at least one of the one or more network interfaces.
12. The single network device of claim 11 , wherein the processor is configured to use a configurable mask to determine the variable byte offset.
13. The single network device of claim 11 , wherein the processor is configured to: generate Integrity Check Value (ICV) information; and insert the ICV information in the packet.
14. The single network device of claim 11 , wherein the packet handling information includes information describing a level of service to be used for the unsecured data.
15. The single network device of claim 11 , wherein the processor is configured to send the packet on a network that employs emulation of a Layer 2 point-to-point connection-oriented service over a packet-switching network.
16. The single network device of claim 11 , wherein the processor is configured to: determine an offset from an end of the MACSEC security tag at which to begin encryption of the payload data.
17. The single network device of claim 11 , wherein the at least one of the VLAN tag or the MPLS label comprises a VLAN tag having a value added into a Priority Code Point field of the VLAN tag indicating a priority level of the packet.
18. The single network device of claim 11 , wherein the packet handling information further comprises Quality of Service (QoS) information.
19. The single network device of claim 11 , wherein the packet handling information comprises a plurality of different pieces of packet handling information.
20. The single network device of claim 19 , wherein at least one of the plurality of pieces of packet handling information is located in an authenticated portion of the packet.
Unknown
February 14, 2017
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.